Validate TCP message string lengths by kevinherron · Pull Request #1746 · eclipse-milo/milo

kevinherron · 2026-05-17T14:49:33Z

Fix a remotely-triggerable denial-of-service in OPC UA TCP Hello/Error decoding where attacker-controlled string lengths could cause large/unbounded heap allocations and negative-size allocations.
Restore protocol and encoding limits (endpoint URL max bytes and message-size limits) and ensure frame-bounds checking happens before any allocation.

HelloMessage: validate constructor using UTF-8 encoded byte length, encode endpoint URL using UTF-8 byte length, and in decode reject negative lengths, enforce MAX_ENDPOINT_URL_LENGTH, and verify the declared length fits in buffer.readableBytes() before allocating and reading bytes.
ErrorMessage: encode reason using UTF-8 byte length, make decode throw UaException, reject negative lengths, enforce a message-size limit (EncodingLimits.DEFAULT_MAX_MESSAGE_SIZE), and verify remaining frame bytes before allocation.
Tests: add new ErrorMessageTest and extend HelloMessageTest with cases for negative lengths, truncated frames, and oversized lengths to cover the regression.
Misc: adjust imports and signatures (throws UaException) where needed to propagate decoding errors.

Validate TCP message string lengths

64837b0

kevinherron added this to the 1.1.4 milestone May 17, 2026

kevinherron merged commit e6062c0 into eclipse-milo:main May 17, 2026
3 checks passed

kevinherron added bug stack labels May 17, 2026

Provide feedback